Terry M. Jarrett PROTECTING

THE PSC’S ROLE Commissioner, MoPSC : UTILITIES’ CRITICAL DISCLAIMER z The opinions expressed in this presentation are mine, and mine alone, and are not those of the Commission, any Commissioner (other than myself) or any member of the Staff of the Commission. Further, nothing in this presentation should be attributed to any case or matter before the Commission, to any member of the Staff of the Commission, other Commissioner or the Commission. Overview z Background z Key security issues for regulators z What regulators should do z What utilities should do z Final thoughts About The PSC z Created in 1913 z 5 Commissioners, six-year terms z Regulate utility rates, and safety for - owned electric, gas, , sewer and z Regulate safety issues for rural electric and municipally-owned utilities z Serve as a proxy for PSC Commissioners

Jeff Davis, Chair Connie Murray Robert M. Clayton, III

Terry Jarrett Kevin Gunn What is ? z Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national or safety, or any combination of those matters. The Threat z Pres. Bush, State of the Union, 2002: • “[O]ur discoveries in Afghanistan confirmed our worst fears, and showed us the true scope of the task ahead. . . . We found diagrams of American plants and public water facilities. . . . .” z Ensuring adequate protection against terrorist threats is imperative for state and federal regulatory commissions Familiar Incidents z Natural Disasters—e.g., weather-related z Vandalism z Bomb Threats at plants or facilities z Picture taking or videotaping of facilities z Cyber/IT systems intrusions z Theft—vehicles, uniforms and $$ z Manmade disasters—e.g., leak, train accident Is there a threat to Critical Infrastructure? z Terrorist Organizations z State sponsored activity z Recreational Hackers z Hactivists z Organized Crime z Trusted insiders z Foreign and domestic competitors z Lone criminals z The unknown Historical Reliability and Security z Primary job—Keep utilities services going z One of the most reliable systems in the world z Designed to withstand certain incidents z Public safety and system recovery is critical focus z Security is an ongoing aspect of reliability Utility Infrastructure—A Key Security Component z Utility sector is a $300 BILLION component of the U.S. economy z Provides a platform on which all other industrial sectors are dependent Regulated Utility Sectors z z Natural Gas

z Water/sewer z Telecommunications Interdependencies Among Critical State Commissions Have a Limited but Important Role in Homeland Security z Lead role in determining: • Who pays for increased • Standards by which such security spending will be considered reasonable and appropriate Key Homeland Security Issues Facing State Commissions z Protection of sensitive information z Security measures z Cost recovery Protection of Sensitive Information z of utilities normally conducted in a transparent manner to provide the public with a clear understanding of the utilities’ conduct z Trend is to allow more information to be shared with the public Protection of Sensitive Information Cont. z Sensitive security information does not fall under normal assumptions about the desirability of public transparency z It would be self defeating to publicize the specific security measures a utility has undertaken since this would inform would-be attackers of the obstacles they would face z Utilities might be reluctant to share security information with regulators without a method to protect the confidentiality of the security information Protection of Sensitive Information Cont. z Response to need for greater protection of security sensitive information • State Statute—Sunshine law exception for “information that is voluntarily submitted by a nonpublic entity owning or operating an infrastructure to any public governmental body for use by that body to devise plans for protection of that infrastructure, the public disclosure of which would threaten public safety” • PSC Regulation—Allows utilities to designate information as “Highly Confidential” and file it under seal Security Measures z How do we evaluate security measures? • Regulators do not have well-established precedents by which to evaluate the appropriateness of utilities’ efforts to protect their critical infrastructure • Normal procedure is to rely on witnesses in a proceeding to provide testimony about appropriateness Security Measures Cont. z All utility sectors operate under some level of security guidelines • Electric—North American Electric Reliability Council (NERC)—intra- organization that has developed guidelines and best practices for both physical and cyber security • Gas—Security practice guidelines developed by the Department of Transportation’s Office of Pipeline Safety (OPS) Security Measures Cont.

• Telecom—Network Reliability & Interoperability Council (NRIC) is an intra-industry organization that has developed an extensive list of best practices for the industry • Water and Sewer--The Environmental Protection Agency (EPA) is the lead federal agency for the security of drinking water and waste water—conduct vulnerability assessments and revise response plans accordingly Security Measures Cont. z Question for regulators—official standards or voluntary guidelines? Cost Recovery z Regulated companies are allowed to recover costs that are both prudent and “used and useful” (Prudence review process) z The commission is responsible for reviewing the costs and challenging those that were not prudently incurred and used and useful z While commissions want to ensure that utilities do not under invest in security, they must also guard against excessive or inappropriate spending Cost Recovery Cont. z Security expenses can be grouped into two categories • Physical security of a utility’s personnel, production plants, and distribution facilities • Protection of computer networks and digital control systems (such as SCADA) used in utility service, also known as “cyber security” Cost Recovery Cont. z An effective security plan could include • Identification of critical infrastructure • Vulnerability assessment • Physical security • Threat detection • Event mitigation • Existence of a chain of command for operation decisions in the event of an emergency Cost Recovery Cont.

• Communications plan for vital public information • Continuity of operations provisions • Damage assessment procedures • Response and recovery procedures • Plans for interaction with state and federal emergency response officials What Should Regulators Do? z Some suggestions • Examine existing guidelines and standards from NERC, OPS, NRIC and EPA to determine which ones to use in their proceedings • Think of critical infrastructure as ones which increase shareholder value because they add to reliability What Should Regulators Do? z Some suggestions • Encourage informal dialogue with utilities to explore ways to improve critical infrastructure security • Monitor—keep up-to-date What Should Utilities Do? z Some suggestions • Comply with security and utilize applicable industry security best practices • Perform vulnerability and assessments • Undertake mitigation reviews • Increase senior awareness What Should Utilities Do? z Some suggestions • Review coverage and contracts • Develop short and long-term security plans • Periodically re-evaluate plans and procedures and make changes when necessary • with customers and other utilities What Should Utilities Do? z Some suggestions • Establish and maintain strong relationships with law enforcement and state emergency management staff • Evaluate interdependencies Final Thoughts z The state regulatory commission’s role is a limited one in the larger scope of homeland security, but it is one in which state commissions have a unique authority: determining how to pay and who should pay for security costs z States are able to rely on existing regulatory procedures for exercising this authority, and can adapt these procedures to ensure the reliability and safety of the nation’s critical utility infrastructure. Questions? Terry M. Jarrett Missouri Commission 573-751-3234 www.psc.mo.gov